size_t size1 = bstr_size(h->name);
size_t size2 = bstr_size(h->value);
- if (size1 == 6 &&
- SCMemcmpLowercase(bstr_ptr(h->name), "Cookie", 6) == 0) {
- continue;
+ if (flags & STREAM_TOSERVER) {
+ if (size1 == 6 &&
+ SCMemcmpLowercase("cookie", bstr_ptr(h->name), 6)) {
+ continue;
+ }
+ } else {
+ if (size1 == 10 &&
+ SCMemcmpLowercase("set-cookie", bstr_ptr(h->name), 10) == 0) {
+ continue;
+ }
}
/* the extra 4 bytes if for ": " and "\r\n" */
uint32_t cnt = 0;
if (det_ctx->hhd_buffers_list_len == 0) {
- FLOWLOCK_RDLOCK(f);
- DetectEngineBufferHttpHeaders(det_ctx, f, htp_state,
- (flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER);
- FLOWLOCK_UNLOCK(f);
-
- for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
- cnt += HttpHeaderPatternSearch(det_ctx,
- det_ctx->hhd_buffers[i],
- det_ctx->hhd_buffers_len[i],
- flags);
- }
-
- DetectEngineCleanHHDBuffers(det_ctx);
-
FLOWLOCK_RDLOCK(f);
DetectEngineBufferHttpHeaders(det_ctx, f, htp_state, flags);
FLOWLOCK_UNLOCK(f);
det_ctx->hhd_buffers_len[i],
flags);
}
-
- uint16_t hhd_buffers_list_len = det_ctx->hhd_buffers_list_len;
- uint8_t **hhd_buffers = det_ctx->hhd_buffers;
- uint32_t *hhd_buffers_len = det_ctx->hhd_buffers_len;
-
- det_ctx->hhd_buffers_list_len = 0;
- det_ctx->hhd_buffers = NULL;
- det_ctx->hhd_buffers_len = NULL;
-
- FLOWLOCK_RDLOCK(f);
- DetectEngineBufferHttpHeaders(det_ctx, f, htp_state,
- (flags & STREAM_TOSERVER) ? STREAM_TOCLIENT : STREAM_TOSERVER);
- FLOWLOCK_UNLOCK(f);
-
- for (i = 0; i < det_ctx->hhd_buffers_list_len; i++) {
- cnt += HttpHeaderPatternSearch(det_ctx,
- det_ctx->hhd_buffers[i],
- det_ctx->hhd_buffers_len[i],
- flags);
- }
-
- DetectEngineCleanHHDBuffers(det_ctx);
-
- det_ctx->hhd_buffers_list_len = hhd_buffers_list_len;
- det_ctx->hhd_buffers = hhd_buffers;
- det_ctx->hhd_buffers_len = hhd_buffers_len;
}
return cnt;
#endif /* #if 0 */
+static int DetectEngineHttpHeaderTest30(void)
+{
+ TcpSession ssn;
+ Packet *p1 = NULL;
+ Packet *p2 = NULL;
+ ThreadVars th_v;
+ DetectEngineCtx *de_ctx = NULL;
+ DetectEngineThreadCtx *det_ctx = NULL;
+ HtpState *http_state = NULL;
+ Flow f;
+ uint8_t http_buf1[] =
+ "GET /index.html HTTP/1.0\r\n"
+ "Host: www.openinfosecfoundation.org\r\n"
+ "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
+ "\r\n";
+ uint32_t http_buf1_len = sizeof(http_buf1) - 1;
+ uint8_t http_buf2[] =
+ "HTTP/1.0 200 ok\r\n"
+ "Set-Cookie: dummycookieset\r\n"
+ "Content-Type: text/html\r\n"
+ "Content-Length: 6\r\n"
+ "\r\n"
+ "abcdef";
+ uint32_t http_buf2_len = sizeof(http_buf2) - 1;
+ int result = 0;
+
+ memset(&th_v, 0, sizeof(th_v));
+ memset(&f, 0, sizeof(f));
+ memset(&ssn, 0, sizeof(ssn));
+
+ p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+ p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
+
+ FLOW_INITIALIZE(&f);
+ f.protoctx = (void *)&ssn;
+ f.flags |= FLOW_IPV4;
+
+ p1->flow = &f;
+ p1->flowflags |= FLOW_PKT_TOSERVER;
+ p1->flowflags |= FLOW_PKT_ESTABLISHED;
+ p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ p2->flow = &f;
+ p2->flowflags |= FLOW_PKT_TOCLIENT;
+ p2->flowflags |= FLOW_PKT_ESTABLISHED;
+ p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
+ f.alproto = ALPROTO_HTTP;
+
+ StreamTcpInitConfig(TRUE);
+
+ de_ctx = DetectEngineCtxInit();
+ if (de_ctx == NULL)
+ goto end;
+
+ de_ctx->flags |= DE_QUIET;
+
+ de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
+ "(msg:\"http header test\"; "
+ "content:\"dummycookieset\"; http_header; "
+ "sid:1;)");
+ if (de_ctx->sig_list == NULL)
+ goto end;
+
+ SigGroupBuild(de_ctx);
+ DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
+
+ int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf1,
+ http_buf1_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
+ result = 0;
+ goto end;
+ }
+
+ http_state = f.alstate;
+ if (http_state == NULL) {
+ printf("no http state: \n");
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
+
+ if (PacketAlertCheck(p1, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOCLIENT, http_buf2, http_buf2_len);
+ if (r != 0) {
+ printf("toserver chunk 1 returned %" PRId32 ", expected 0: \n", r);
+ result = 0;
+ goto end;
+ }
+
+ /* do detect */
+ SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
+
+ if (PacketAlertCheck(p2, 1)) {
+ printf("sid 1 matched but shouldn't have\n");
+ goto end;
+ }
+
+ result = 1;
+
+end:
+ if (de_ctx != NULL)
+ SigGroupCleanup(de_ctx);
+ if (de_ctx != NULL)
+ SigCleanSignatures(de_ctx);
+ if (de_ctx != NULL)
+ DetectEngineCtxFree(de_ctx);
+
+ StreamTcpFreeConfig(TRUE);
+ FLOW_DESTROY(&f);
+ UTHFreePackets(&p1, 1);
+ UTHFreePackets(&p2, 1);
+ return result;
+}
+
#endif /* UNITTESTS */
void DetectEngineHttpHeaderRegisterTests(void)
DetectEngineHttpHeaderTest28, 1);
UtRegisterTest("DetectEngineHttpHeaderTest29",
DetectEngineHttpHeaderTest29, 1);
+ UtRegisterTest("DetectEngineHttpHeaderTest30",
+ DetectEngineHttpHeaderTest30, 1);
#if 0
UtRegisterTest("DetectEngineHttpHeaderTest30",
DetectEngineHttpHeaderTest30, 1);
projects / thirdparty / suricata.git / commitdiff
